1 / 34

Anatomization and Protection of Mobile Apps’ Location Privacy Threats

Anatomization and Protection of Mobile Apps’ Location Privacy Threats. Kassem Fawaz , Huan Feng, and Kang G. Shin Computer Science & Engineering The University of Michigan. Apps’ Location Privacy. What can we do about it?. 2. Apps’ Location Privacy. More than a decade of research

litten
Download Presentation

Anatomization and Protection of Mobile Apps’ Location Privacy Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anatomization and Protection of Mobile Apps’ Location Privacy Threats KassemFawaz, Huan Feng, and Kang G. Shin Computer Science & Engineering The University of Michigan

  2. Apps’ Location Privacy What can we do about it? 2

  3. Apps’ Location Privacy • More than a decade of research • Lots of location privacy protection mechanisms • E.g., LP-Guardian, MockDroid, Caché, Koi, etc. • Few implementations/deployments: • Some have not been implemented with real-world apps • Others very difficult to deploy (require custom ROMS, etc.) • We are left with what OSes provide us

  4. Mobile OS Location Controls Install time permissions Per-app location switch Background location access http://arstechnica.com/gadgets/2015/05/android-m-dev-preview-launches-permission-controls-fingerprint-api-and-more/ https://support.apple.com/library/content/dam/edam/applecare/images/en_US/applecare/location_background.png

  5. Apps’ Location Privacy • Are OS-based controls effective in protecting the user’s location privacy? • If not, how can they be improved, in user-level, without modifying any app or the OS?

  6. This Talk Measurement and LP-Doctor are based on Android, but conclusions apply to other platforms

  7. Measurement https://thisisprable.files.wordpress.com/2014/05/tape-measure1.jpg

  8. Measurement < x, y, e,t1> Location-access pattern = F(app)  offline analysis < x, y, e,t3> App–tagged location traces App-usage pattern = F(user)  user-level collection

  9. Location-Access Patterns • Apps abuse the location permissions • Minority of the apps continuously access location • Focus on foreground location access

  10. App-Usage Patterns • App Usage Patterns Analysis • List of app sessions: • Three datasets: com.whatsapp,1395247179636,America/New_York,75,placeID:1,placeID:1

  11. Location-Access Model • Appsession maps to a place the user visited • 98% of app sessions started and ended at the same place • Model app as a histogram • Map place to number of visits • Sample of user’s mobility 92 visits 50 visits 92 visits 40 visits 25 visits

  12. Anatomy http://thegraphicsfairy.com/wp-content/uploads/2013/09/Vintage-Anatomy-Skeleton-Images-GraphicsFairy.jpg

  13. Location Privacy Metrics Capture and quantify the user’s original mobility pattern with the app’s histogram Probability of user visiting place # of visits app observed user at place

  14. Location Privacy Metrics • Four privacy metrics: • PoItotal: Portion of user’s identified significant places • The closer to 1, the more places are identified • PoIsens:Portion of identified rarely visited places • Represent “deviant” behaviors which are more sensitive • Profcont:KL divergence between histogram and mobility pattern • Distance between app’s observation and user’s mobility profile • Profbin: χ2 test with significance level of 0.05 • Whether the histogram (sample) is a good fit of the mobility pattern

  15. Threat Anatomy

  16. Threat Anatomy

  17. Threat Anatomy

  18. Threat Anatomy

  19. Are OS-Controls Effective? • Android location permissions • Fail as a notification and choice mechanism • App-usage behavior is independent from app’s location permissions • Background location blocking • Limits tracking (less than 10 minutes a day) but not profiling • Per-app permissions • Need to block location access of 10% of apps to neutralize each A&A library • Take-it or leave-it situation • Users can’t control when and where an app can access location

  20. LP-Doctor http://site.ambercity.com/images/mabis/legacy-sprague-lc-rappaport-type-stethoscope-adult-black-10-420-020-lr.jpg

  21. LP-Doctor: WHY? • Per-session location access control is needed • Existing OSes don’t provide an easy interface • User can’t decide on threat level, especially for A&A libraries • Our Solution: LP-Doctor – a user-level tool that: • Leverages and complements existing OS-controls • Is easy to install and use

  22. Threat Model • What’s in? • Honest-but-curious adversaries • Service providers or Advertisement and Analytics (A&A) agencies • Access location only through location APIs • Foreground location access • What’s out? • Background location access • Some platforms are providing controls like iOS • Operating systems and cellular operators • Users have no choice but to trust them • Security issues

  23. LP-Doctor What happens when the user installs an app? Apply protection before each session • Level decides: • Amount of noise added • Sensitivity level for

  24. LP-Doctor What happens when the user runs an app? Instrument the CyanogenMod app launcher Pause app execution Divert execution to LP-Doctor

  25. LP-Doctor What happens when the user runs an app? No Yes Yes No

  26. LP-Doctor What happens when the user runs an app? • Compute obfuscated location • Add 2-D Laplacian noise that achieves indistinguishability • Engage Android’s mock location provider • Apply same obfuscated location for future sessions of the same app from the place • Reduces information leaks

  27. LP-Doctor What happens when the user runs an app? • Remove noise • Reduce noise  • user adjusts privacy – QoS trade-off

  28. LP-Doctor What happens when the user runs an app? • Resume app launch • Delay less than 25 ms • End of app session: • Update app histogram • Disengage mock location provider

  29. User Study • Recruited 227 participants from Amazon Mechanical Turk • Used LP-Doctor with Yelp (N = 120) and Facebook (N = 122) One time effort Installation menu Notifications & Impact on QoS

  30. User Study Installation Menu Notification Appears only once for each 5 installed apps Appears for 12% of sessions on average

  31. User Study Yelp Facebook LP-Doctor adds noise automatically for 12% of the sessions on average of each app

  32. User Study Post study questions Comfortable with fake location? Comfortable with fake location? Install LP-Doctor or similar tool?

  33. Conclusion • Location privacy is a serious problem • Existing research proposals are impractical • Are OS-controls enough? • Measured threats from > 400 apps as used by > 100 users • Found that OS-controls are ineffective and inefficient • We propose LP-Doctor that is practical and effective • Future work: • Test LP-Doctor in the wild to study deployment challenges

  34. Thank You! Questions? KassemFawaz kmfawaz@umich.edu github.com/kmfawaz/LP-Doctor

More Related